[Snort-users] Can I make a rule to catch SMTP banners?

Martin Roesch roesch at ...421...
Mon Nov 20 20:57:55 EST 2000


Try this:

alert TCP $EXTERNAL 25 -> $INTERNAL any (msg: "SMTP session"; flags: AP;
content: "220"; depth: 60; content: "SMTP";)

This will look for both the 220 and *SMTP in the packet.  Also, if you're
using the latest from CVS you can use the new "regex" keyword from Fyodor to
allow single (?) and multiple (*) character wildcards in strings.

     -Marty


Jason Haar wrote:
> 
> I'm wondering if we can use Snort for more than just IDS. I was looking at
> something that made me think - "what kinds of mail servers does our mail
> server connect to?".
> 
> Can I make a rule that matches on the first line returned from an outgoing
> SMTP connection: e.g.
> 
> 220 trimble.co.nz ESMTP Trimble Navigation New Zealand Ltd ESMTP
> 
> I thought something along the lines of:
> 
> alert TCP $EXTERNAL 25 -> $INTERNAL any (msg: "SMTP session"; flags: AP;
> content: "220"; depth: 60;)
> 
> should match. However, that matches any SMTP packet containing 220 - not
> just the first one of a session.
> 
> Is there any way to match on just the first occurance within a single TCP
> session?
> 
> Thanks
> 
> --
> Cheers
> 
> Jason Haar
> 
> Unix/Special Projects, Trimble NZ
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list